Can An Engineer Prevent the Unknown?

As automakers roll out autonomous driving features at the Consumer Electronics Show and the Detroit Auto Show this week and next, there's an unspoken question nagging at the fringes of the technology: Will future engineers have to find ways to prove these self-driving features don't cause accidents?

The question is especially relevant now in the wake of the recently settled Toyota unintended acceleration case. A jury found Toyota responsible after a 76-year-old woman sped out of control in her 2005 Toyota Camry as she was exiting an Oklahoma highway. The crash injured the woman and killed her passenger. A jury found in favor of the driver, awarding $1.5 million to her and $1.5 million to the family of the passenger.

The disturbing issue at the heart of the case is that we still don't know what caused the accident. Toyota claimed pedal misapplication -- the driver stepped on the accelerator when she thought she was stepping on the brake. The plaintiff's lawyers targeted the electronic throttle, citing testimony from an expert who said that the car's software code was faulty. But with no smoking gun-type evidence, Toyota was left with the unenviable task of proving that its questionable software didn't cause the accident.

If you think about it, that's a tough task. Virtually all software-based products have some issues. And powertrain controllers contain hundreds of thousands of lines of software code, all of which can interact with vehicle subsystems in billions of ways -- maybe trillions. To prove something didn’t happen, engineers essentially would have to say, "We know exactly how many possibilities exist. We've tried all 16 trillion of them, and we know it can't happen."

All this is relevant for today's automakers because almost every new car uses an electronic throttle, or throttle by wire, as it's known. It's a key enabler for adaptive cruise control, traction control, electronic stability control, torque blending, cam phasing, cylinder deactivation, and countless other features. "If the issue is throttle by wire, then it's not just a Toyota problem, and it's not just an autonomous vehicle problem," Gregory Shaver, associate professor of mechanical engineer at Purdue University, told us. "If we can't trust the software, then we have to step back and take a look at almost every vehicle we've made in the past 15-plus years."

The problem would be much simpler if we could point a finger at the causes of such accidents and then fix them. But we can't do that. We can only surmise and rely on likely scenarios, leaving Toyota to deal with the same unsettling problem that nearly crushed Audi in the 1980s.

The fact that the electronic throttle is essentially a time-tested technology adds to the perplexity. "Think about how many years they've been on the road, how many vehicles are driving around with electronic throttles, and how many miles have been logged," Jeremy Worm, PE, director of the Mobile Lab at Michigan Tech University, told us. "Many of these vehicles have gone through entire life cycles. That should tell us that the electronic throttle is a robust technology."

There are some partial solutions. Brake-throttle override, in which brake actuation shuts down a wide-open throttle, should help. And automotive black boxes, which record the driver's actions during an accident, will provide an explanation that's superior to a courtroom debate.

In the end, though, engineers can't think of all the possibilities or test for them. They can conduct all manner of bench tests, failure mode analyses, and road tests for torque security, but they can't be expected to imagine trillions of scenarios. "As an engineer, you're never going to be 100% sure," Worm said. "You can get to a level of comfort after you've done your bench testing and validation and verification, but you can never have 100% confidence."

That's especially true for cases like Toyota's. You can't be expected to test for a failure if you don't know what tripped it. "All you can really do is manage the risks," Shaver said. "That's what engineers do."

Today, more than 30,000 lives a year are lost on our roads, GlennA. The belief is that some day, autonomous cars could bring that down to the hundreds. So, yes, I definitely agree with you that self-driving cars will one day save lives. The question is, will our legal system allow it?

I don't remember where I read this, but supposedly the reason that Ford got hit so hard in the Pinto lawsuits (would you be surprised if a high-speed rear-end collision caused a fire - it happens it the movies) was that the cost to repair the design flaw would be more expensive than potential lawsuits. Cost benefit analysis is part of the design process. And actuaries (life insurance) are in the business of putting a value on human lives. I have seen a car commercial where an automatic braking system stops the car while the driver is not paying attention to driving. So there is the potential of a self-friving car to save lives.

You're right, naperlou. You can't prove everything. This is a really complex situation because, as you mention, Toyota cars have driven billions of miles with these electronic throttles. So either you believe that the one-in-a-million error occurred, or you believe that the driver stepped on the wrong pedal. Either way, there's no hard evidence. I just wonder now how the pending cases will be resolved.

I agree with what you are saying naperlou. But in reality, we do NOT accept the risk of death in automobile failures. If we did, Toyota would not be forking over 3 million dollars to two families. Do not get me wrong, if the car is crap and is purposefully sold disregarding safety requirements, then they pay. But as pointed out in this article, throttle by wire is a proven and robust technology and Toyota still has to pay.

Self driving cars? I agree, rules of liability have to be established. But then you would put 99% OF ALL LAWYERS OUT OF A JOB!

Chuck, you bring up a valid and important topic here. There is no way to "prove" everything about a vehicle. Since there are so many vehicles and they are driven so much (in hours and miles) you are likely to run into any error that exists. So, we cannot prevent problems. In safety critical systems one typically designs in multiple failsafes. This is a complex topic. There are also overrides and safe modes. This is a well understood area and is applied in the aerospace industry. Even then, it is not perfect.

The flip side is that we have lived for about a century with automobiles. They cause more deaths than just about anything else. We accept that, even though many of the fatalities involve someone just getting from one place to another, often for trivial reasons. Go figure.

There is probably no real solution. The next step is to outline the liability rules and install those black boxes.

If you’re developing an embedded monitoring and control application, then you’ll want to take note of the upcoming Design News Continuing Education Center class, “Embedded Development Using Microchip Microcontrollers and the CCS C Compiler."

Focus on Fundamentals consists of 45-minute on-line classes that cover a host of technologies. You learn without leaving the comfort of your desk. All classes are taught by subject-matter experts and all are archived. So if you can't attend live, attend at your convenience.